GDPR: How to deal with an inbox full of privacy policies

Every time you join an online service or social media website you are presented with a privacy policy. Sometimes those policies are in excess of ten pages long. It's widely known that nobody bothers to read them.

Studies suggest that the majority of people do not understand the intricacies of privacy policies. In fact, a Pew Research Center study from 2014 revealed that half of Americans don’t even know what a privacy policy is.

This is concerning because privacy policies are a consumer’s window into the possible behaviors of the services they use. But even privacy experts struggle to get through the deluge of jargon. Lior Strahilevitz, a professor of law at the University of Chicago, yesterday admitted that “like most people, I don’t read the privacy policies that I’m sent - and I say that as a privacy lawyer”.

That seems like a startling confession. After all, if privacy lawyers aren’t reading the contents of privacy policies, surely the average person shouldn’t be expected to do so?

Why privacy policies matter

Revelations about Facebook have recently disclosed that data collected and inferred by Facebook analytics was used by a third party firm called Cambridge Analytica (CA). CA used vast amounts of data to target borderline voters and alter their news feeds for the purposes of influencing their decisions in both the 2017 Presidential elections - and the UK’s Brexit referendum.

Talking at Innovation fest, Blase Ur, an assistant professor at the University of Chicago Department of Computer Science, yesterday explained why he believes the Cambridge Analytica story has hit such a nerve.

“It is one of the few cases where an average consumer can see what happened with their data," he said. Normally we have data collected about us and it goes into the void and things get done to it, but we never really know what the outcome was.”

This time, citizens discovered explicit details about how their data “was scooped up by Cambridge Analytica and then probably used to influence Brexit and the Trump election,” added Ur.

During the session, Ur went on to explain that seemingly trivial facts about people can sometimes be important markers for particular beliefs or behavioral traits. It is these seemingly benign inferences that permit data analytics and behavioral experts use to influence people.

That is why it so important to understand what personal data you are permitting firms to collect, store and process.

The GDPR update rush

At the moment, people are being presented with a sudden rush of privacy policy updates. This is because of Europe’s new GDPR legislation, which comes into effect on May 25. The new European legislation forces firms to tell consumers exactly what data is being collected and what it is being used for. Firms that use personal data for anything other than its original purpose are in breach of the regulation.

Although the legislation is European, some firms, such as Microsoft, have decided to roll out many elements of the regulation to their worldwide user base. For this reason, US citizens - and people elsewhere in the world - may also find themselves having to accept new policy updates in the coming weeks and months.

How to deal with the privacy policy conundrum

With so many privacy policies updates suddenly being published, what is the best advice when it comes to understanding and agreeing to those policies? According to Strahilevitz, the best thing to do is to rely on experts rather than to pick through the policy yourself,

“A good strategy for making sense of privacy policies as a layperson is not so much to read the privacy policy yourself, but to wait for organizations that do this for a living to actually go through and tell the world about really surprising or problematic terms.”

This is solid advice because when a large corporation releases a new privacy policy, it is common for organizations such as Electronic Frontier Foundation, Privacy International, Open Rights Group, and the Privacy Coalition, to carefully analyze those documents.

In addition, independent privacy experts and researchers often analyze new privacy policies for nasty “surprises,” and you can find their blog posts by searching online.

This means that, with very little effort, it is possible to find out if a privacy policy is receiving bad press and should be avoided.

Digital privacy expert with 4+ years experience testing and reviewing VPNs. He's been quoted in The Express, Barrons, the Scottish Herald, ThreatPost, CNET & many more. Ray is currently rated number 1 VPN authority by Agilience.com.

2 Comments

Edward John

A question on VPN's not related to the article but I cant see anyway of asking a question. Many sites one visits want to put cookies on your computer which in the past didnt concern me but now it does. So if you use a VPN and the site you visit wants to put cookies on your computer how can it do it if your IP address is using a VPN is not your real IP address. Say if one was using NORD or some onion thingy so your location cannot be tracked all the way to your home computer how could one continue to use their site if they cant get back to your IP address.

Douglas Crawford replied to Edward John

Hi Edward, Cookies do not reveal your real IP address to websites, but they can be used to track you, and when combined with other forms of tracking, potentially uniquely identify you. VPNs are a vita part of your privacy toolkit, but they can't do anything. The best way to stop website tracking is with privacy browser add-ons (Cookie AutoDelete is imo the best way to handle cookies. It automatically deletes cookies when you close the browser tab that set them. This provides a high level of protection from tracking via cookies without “breaking” websites.